Is there a sandboxing program like Sandboxie for Mac?

Solution 1:

MacOS has a build in Sandbox feature which may help you but does not exactly have the same functionality as Sandboxy.

This Paolo Fabio Zaino's Blog post from 2015 explains how to run Applications in a Mac OS X sandbox. He summarizes it this way:

by using sandboxing, you can restrict access an application can have to operating system resources like filesystem or network etc…

Quoting his Blog Post:

How to sandbox an application?

First of all, to let Mac OS X to know which resources your application requires to being able to run properly we need to create a sandbox configuration file. This activity will require some time and testing because each application has different requirements

Here is an example (change MyApp with your application name):

;; This is my first sandbox configuration file!
(version 1) 
(deny default)

;; Let's allow file read and write in specific locations and not 
;; all over my filesystem!
;; Please note you can add more (regex "^/Users/user_name/xxxxxxxxxxx") lines depending 
;; on what your MyApp needs to function properly.
(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/user_name/[Directories it requires to write and read from]")
  (regex "^/Applications/MyApp.app")
  (regex "^(/private)?/tmp/"))

;; You can also add a sperate section for reading and writing files outside your
;; user_name account directory.
(allow file-read-data file-read-metadata
  (regex "^/dev/autofs.*")
  (regex "^/System/Library")
  (regex "^/Applications/MyApp.app")
  (regex "^/usr/lib")
  (regex "^/var")
  (regex "^/Users/user_name"))

;; If your MyApp requires to access sysctl (in read)
(allow mach* sysctl-read)

;; If you want to import extra rules from 
;; an existing sandbox configuration file: 
(import "/usr/share/sandbox/bsd.sb")

;; If you want to decide in which filesystem paths 
;; MyApp is forbidden to write:
(deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
   #"^/usr/share/zoneinfo/"))

;; If your MyApp wants to run extra processes it's be allowed to run only
;; child processes and nothign else
(allow process-exec 
  (regex "^/Applications/MyApp.app"))

;; If your MyApp requires network access you can grant it here:
(allow network*)

Once we have done with our sandbox configuration file for our application, we can simply execute it using the following command from the command line:

sandbox-exec -f myapp-sandbox-conf /Applications/MyApp.app/Contents/MacOS/MyApp-bin

Where myapp is the name of the application you want to run in a sandbox.

If my generic sandbox file will be too generic for you and you want more practical examples (already implemented) then run your terminal application and have a look to all the examples already kindly provided by Apple:

ls /usr/share/sandbox

In this directory you’ll find plenty of files like

sshd.sb

To look into and have more insight/tutorial to write your own sandbox configuration file for your specific application.

Solution 2:

Well, there is this app - https://www.macupdate.com/app/mac/19025/sandbox

Sandbox, But I am not sure if this works well with the latest edition. As such all the apps need to be sandboxed according to enhanced security measures, but this only applies to APPS on the Mac Store, but not for all the other apps not on the store!